Skip to content
Permalink
Browse files

Fix potential SQL Injection with postgis TIME filters (#4834)

  • Loading branch information...
rouault authored and tbonfort committed Dec 31, 2013
1 parent eee7af4 commit 3f0ee57b12d482e0ff5611d05afd32408949f7f9
Showing with 5 additions and 0 deletions.
  1. +5 −0 mappostgis.c
@@ -2970,6 +2970,11 @@ int msPostGISLayerSetTimeFilter(layerObj *lp, const char *timestring, const char
if (!lp || !timestring || !timefield)
return MS_FALSE;

if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
return MS_FALSE;
}

if (strstr(timestring, ",") == NULL &&
strstr(timestring, "/") == NULL) /* discrete time */
tmpstimestring = msStrdup(timestring);

0 comments on commit 3f0ee57

Please sign in to comment.
You can’t perform that action at this time.